Long-Distance Decoy-State Quantum Key Distribution in Optical Fiber 
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The theoretical existence of photon-number-splitting attacks creates a security loophole for most quantum 
key distribution (QKD) demonstrations that use a highly attenuated laser source. Using ultra-low-noise, high- 
efficiency transition-edge sensor photo-detectors, we have implemented the first version of a decoy state protocol 
that incorporates finite statistics without the use of Gaussian approximations in a one-way QKD system, enabling 
the creation of secure keys immune to photon-number- splitting attacks and highly resistant to Trojan horse 
attacks over 107 km of optical fiber. 
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Quantum key distribution (QKD), which enables users to 
create a shared key with secrecy guaranteed by the laws of 
physics is arguably the most advanced application in the 
growing field of quantum information science. Since the first 
demonstration in 1992 the field has advanced sufficiently 
that commercial systems are now available. Most current 
QKD implementations use "prepare and measure" protocols 
that involve the sender (Alice) preparing a single photon in a 
quantum state and sending it to the receiver (Bob), who then 
measures the photon. Attempts by an eavesdropper (Eve) to 
obtain information about the state of the single photon will 
introduce an error rate in the transmission, which alerts the 
users to Eve's presence. 

For example, to implement the Bennett-Brassard 1984 
(BB84) protocol Alice randomly encodes a single photon 
with either a or a 1 in one of two conjugate bases and sends 
the photon to Bob. Bob performs a measurement in one of 
the two bases, and communicates the time slots for which he 
obtained detection events. Alice and Bob then create a sifted 
key by only retaining events where they used the same ba- 
sis. Ideally, Alice's sifted bits should be perfectly correlated 
with Bob's if Eve did not attack the transmission, but any real 
system has error rates due to experimental imperfections. Er- 
ror correction removes these errors, leaving Alice and Bob 
with a perfectly correlated key. However, this key is not yet 
completely secret because, in principle, the errors may have 
arisen from Eve attackingthe system. Therefore, a final step 
of privacy amplification fy\ is used to obtain a shorter, secret 
key about which Eve has negligible information. 

The lack of readily available single-photon sources, espe- 
cially at telecom wavelengths where most fiber-based QKD 
systems operate, modifies the simple picture outlined above 
considerably. If the source emits more than one photon. Eve 
could remove one of the photons and store it until Bob an- 
nounces his basis choice, at which time she would measure 
the photon in the correct basis and learn the bit value with- 
out introducing any errors. Therefore, in addition to assuming 
that all errors arise from Eve's interaction with single photons, 
it is also necessary to assume that Eve can gain full informa- 
tion about any sifted bits that arose from multi-photon events. 



To determine the number of sifted bits that were encoded in 
single photons, it is often assumed that the transmission chan- 
nel acts as a simple beamsplitter [2]. However, an eavesdrop- 
per with unlimited technological capabilities may modify the 
channel properties so that this is no longer valid. For instance, 
she may perform a photon-number-splitting (PNS) attack by 
replacing the link with a lossless channel, blocking as many 
single photons at the output of Alice that she can, while keep- 
ing the rate of photons that Bob receives constant, and remov- 
ing one photon from each multiphoton pulse |6]. Protection 
against such attacks requires far more privacy amplification 
than the case where a beamsplitter channel is assumed, and 
if the rate of multiphotons present at the output of Alice is 
greater than the rate of detection events recorded by Bob, then 
Eve could have full knowledge of every sifted bit. 

QKD systems often use heavily attenuated laser sources, 
which results in a Poisson distribution of photon number. The 
fraction of non-vacuum pulses that contain more than one 
photon is approximately /i/2 when the laser is pulsed with a 
mean photon number /i < 1. To keep the rate of multiphotons 
sufficiently low for PNS security, it is necessary to operate 
with fi on the order of the channel transmittance 77, yielding a 
sifted bit rate that is proportional to 77^ 101 ■ As the transmis- 
sion loss increases and the sifted bit rate decreases, detector 
dark counts play an increasingly important role, eventually 
leading to such high error rates that secret key generation is 
impossible. For fiber QKD, where the channel transmittance 
drops off exponentially with distance, the requirement of PNS 
security was until recently thought to severely limit the link 
length for weak coherent pulse QKD isll^. 

The recent development of decoy state protocols fl^ IJ. 



12l 11311 has drastically improved the outlook for the security 



of weak laser based QKD. Decoy-state QKD allows the users 
to place a rigorous lower bound on the single photon chan- 
nel transmittance, including receiver losses, and therefore the 
number of detections at Bob that originated from single pho- 
tons. Because no assumptions are made about modifications 
to the channel transmittance by an eavesdropper, a PNS at- 
tack would easily be detected. Decoy-state QKD has previ- 
ously been demonstrated over link lengths of 15 and 60 km 
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lfl4l [Tsll . with a suggested maximum PNS-secure range of 
about 140 km if InGaAs avalanche photodiodes with the best- 
reported parameters for QKD in the literature are used lfl6ll . 
However, those experiments employed a two-way system that 
has been shown to be susceptible to Trojan horse attacks 1.17,1 . 
negating the purpose of QKD to create unconditionally secure 
keys. In contrast, the present work was performed with a one- 
way system which is much less susceptible to Trojan horse 
attacks i2% . In this paper, we report on the first experimental 
decoy-state QKD demonstration in a one-way QKD system 
that can create unconditionally secure quantum key. 

The simplest decoy state protocol requires Alice to emit sig- 
nals whose values are randomly toggled between two values 
III and iiQ. For a given signal. Eve does not know whether Al- 
ice used fiQ or fii, so she must treat single photon signals from 
either mean photon number identically. Because the fraction 
of single photon signals depends on it is impossible for 
Eve to perform a PNS attack by simultaneously modifying the 
channel transmission correctly for more than one value of fi. 
By comparing the number of detection events from /io and /xi 
transmissions, Alice and Bob are able to place strict bounds 
on the single photon transmittance of the channel. 

A three-level decoy-state protocol ([/io, A^i, M2 — 0]) with 
/ii ^ Mo enables even better characterization of the channel 
parameters, which can be illustrated as follow. Bob's count 
of detection events when Alice sent vacuum (/i2) provides an 
estimate of the background and dark count detection proba- 
bility, yo, per clock cycle of the system. From this estimate, 
they can develop upper and lower bounds on yo with a user- 
defined level of confidence 1 — e, with e ^ 1. The confidence 
interval calculations in our case were computed numerically 
as opposed to making a Gaussian approximation, which may 
be a poor fit far out in the tails of the binomial distribution 
governing both the transmission and error probabilities. Next, 
they consider how many detection events Bob received when 
Alice prepared mean photon number ^ii ^ 1. After subtract- 
ing off background, most of the remaining events are from 
single-photon signals, providing an estimate and confidence 
levels for the single photon transmittance j/i. Finally, they 
can utilize the lower bound on yi to determine the number of 
the stronger /io detection events that originated as single pho- 
ton signals at Alice. While this outline is helpful for gaining 
intuition, it does not explain the specific values of mean pho- 
ton numbers that should be chosen for an experiment such as 
ours. 

More generally, the channel analysis is carried out 
by simultaneously solving for the n-photon signal trans- 
mittance variables y„ under a set of linear inequalities 
formed by confidence intervals [Y^~,Yj^] on the detec 



tion probabilities per clock cycle Yj for each fij 111311 : 

Yf < e~^^ X]r=o %r~yn ^ Yj+. The region of consis- 
tent solutions forms a convex polyhedron, and a lower bound 
Hi < yi can easily be found by linear programming. A sim- 
ilar set of inequalities relate the confidence intervals on the 
observed bit error rates for each fj,j to the y„ and the n-photon 



bit error rates 6„. While simultaneously solving both sets of 
inequalities could in principle yield a tight bound on the single 
photon bit error rate bi, we chose to instead use a conserva- 
tive upper bound by treating all observed sifted bit errors 
as having come from single-photon signals. Details on chan- 
nel estimation and optimization of experimental parameters 
for fiber decoy state QKD will be published separately jlSll . 
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FIG. 1: QKD system used in this work. DFB: distributed feedback 
laser; VOA: variable optical attenuator; AM: amplitude modulator; 
LP: linear polarizer; RNG: random number generator. 



The switched interferometer QKD system used in this work 
was identical to that described in detail elsewhere [l9ll . 
except for the addition of an amplitude modulator in Alice, 
which was used to produce the different decoy state signal 
strengths. As shown in Fig. [H the system was composed of a 
phase encoding switched interferometer and low-noise, high 
efficiency single-photon sensitive superconducting transition- 
edge sensors (TESs) f^c" 



2111 . Synchronization for both Alice 



and Bob was achieved through the use of a single clock, mak- 
ing the system impractical for use outside the laboratory, but 
straightforward modifications will yield a system with sepa- 
rate clocks using quantum clock recovery techniques Il22ll . A 
pattern generator pre-loaded with a random bit file provided 
bit and basis selection for Alice, but in a practical system cryp- 
tographically strong random number generators would pro- 
vide the selection [22]. These two relatively minor modifica- 
tions to the system will be implemented in the near future. In 
contrast to our previous work using TESs in a phase encoded 
system 12311 . in which we used one detector and time- 

multiplexed the signals at Bob's phase decoder, here we used 
two detectors to enable operation at a higher clock rate (2.5 
MHz for this experiment). The detectors had fiber-coupled 
system efficiencies of 33% and 50%, which were lowered 
from the detector value of 89% by the inclusion of filters to 
reduce the rate of blackbody radiation reaching the detectors. 
This imbalance between the two detectors reduces the entropy 
of the raw key, which must be accounted for during privacy 
amplification. The background rate of detection events, set by 
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blackbody radiation, was 3 counts per second. The timing jit- 
ter of the detectors was 100 ns FWHM, and the thermal recov- 
ery time was 4 /is. The system transmitted over a 202 km Hnk 
of dark optical fiber, and shorter distances were obtained by 
redefiningAlice's enclave to include some length of the opti- 
cal fiber (|9|]. Redefining the system in this way simply means 
that Alice has an extra attenuator composed of fiber that low- 
ers the mean photon number exiting her enclave. Therefore, 
our mapping to shorter distances is completely equivalent to 
using a shorter length of fiber 

We implemented a decoy-state BB84 protocol using three 
levels of /i: a high fiQ, a moderate /ii, and a low /Lt2 that 
approximates the vacuum state. The probabilities of send- 
ing iiQ, Hi, or ^2 were 83.1%, 12.3% and 4.6%, respectively. 
Near-optimal ^ values and probabilities were obtained by per- 
forming simulations to maximize the secret bit rate for various 
channel parameters. Because of the finite extinction ratio of 
the amplitude modulator, fi2 was not zero but was instead less 
than 1.0% of fiQ. Use of a small nonzero value for fi2 results in 
slightly worse bounds on the single photon transmission, and 
this effect was included in our analysis. The user-defined con- 
fidence parameter for each bound was chosen to be e = 10^^, 
resulting in a final key of which, with probability greater than 
1 — 6 X 10~^, Eve knows less than one bit. 

After sufficient data were collected, the bits arising from 
pulses at Ho were sifted, error corrected, and privacy ampli- 
fied. After sifting, the bits were shuffled to permute the errors 
and make error correction more efficient. In addition, half of 
the bits, randomly chosen, were flipped by both Alice and Bob 
to ensure that the final key had an equal distribution of zeros 
and ones. Error correction was performed using the modi- 
fied CASCADE algorithm [24], which has an efficiency of 
7-13% over the Shannon limit. We performed privacy ampli- 
fication using Toeplitz matrix universal hash functions [25] to 
provide protection against arbitrary basis-independent attacks 



112611 . yielding a total of A'scc secret bits: 



iV,ec - s[l-H2 {b+)] - iV.ift [fccH2 {B) + {l-H2 [z))] 

where A'sift is the number of sifted bits, s is the calculated 
lower bound on the number of single photons present in the 
sifted key, is the calculated upper bound on the single pho- 
ton error rate, /ec is the efficiency of the error correction pro- 
tocol relative to the Shannon limit, B is the observed error 
rate for all signals that enter the sifted key, z is the fraction of 
zeros in the sifted key before half the bits were flipped, and 
H2 is Shannon entropy. 

We collected data at two different sets of values of /i, one 
selected for transmission at 85 km (corresponding to 117 km 
of fiber being defined as residing within Alice) and the other 
for 100 km (corresponding to 102 km of fiber residing within 
Alice's enclave). For each data set, timing windows for ac- 
cepting detected events were chosen to maximize the secret 
bit rate ifigi E3I] . From the first data set, using mean photon 
numbers at the exit of Alice's enclave of [/io, /^i, M2] = [0.487, 
0.0639, 1.05 X 10-3] at 85 km, we created 9.9 x 10^ secret bits 
in 351 s from 2.2 x 10^ sifted bits using 120 ns windows. From 
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FIG. 2: Secret bit rate (bps denotes bits per second) vs transmission 
distance for the two experimental data sets. The asterisks mark the 
transmission distances quoted in the text. Longer distances could be 
achieved in this system if different mean photon numbers are used. 



the second data set, which used mean photon numbers [0.297, 
0.099, 2.75 x 10-3] at 100 km, we generated a 1.2 x 10'' secret 
bits from 1.9x10^ sifted bits coflected over 828 s with 220 ns 
windows. The observed error rates at ^0 for the two data sets 
were 3.3% and 4%, consistent with the expected error rate due 
to interferometer visibility and background counts. The lower 
bounds on the fraction of sifted bits that originated as single 
photons were 0.46 and 0.55, compared to 0.61 and 0.74 for a 
beamsplitter channel. The number of secret bits generated is 
less than the number of non-PNS-secure bits that would have 
been generated at /ig by assuming a random deletion channel 
(4.4 X lO'' and 4.9 x lO'' at 85 km and 100 km, respectively), 
but those numbers assume that Eve is unable to modify the 
channel properties. Consequently, the secret bits generated 
using our decoy state protocol are immune to PNS attacks, 
whereas they would not be PNS secure under the beamsphtter 
channel assumption. 

Even though the /i values were chosen to be near-optimal 
for particular link lengths, we can analyze the results over 
other distances by redefining the system so that Alice's en- 
clave includes a different amount of the 202 km optical fiber 
link [jgtl. Figure |2] shows the secret bit rate as a function of 
transmission distance. For the data set optimized for 100 km, 
we find that a secret key can be exchanged over 107 km of op- 
tical fiber Considerably longer ranges of 150-200 km should 
be possible in this system by using different /i values opti- 
mized for longer distances. 

Because the extent to which the single photon transmittance 
can be bounded is dependent on the photo-count statistics, ac- 
quiring data for longer times will result in not only more secret 
bits, but also a higher rate of secret bit production. Figure [3] 
displays the results of a simulation of longer acquisition times. 
In general, the bound on single photon transmittance does not 
depend on whether the quantum channel is stationary, but for 
the simulation we assume that Eve does not vary her attack. 
For a given confidence parameter, longer acquisition times re- 
sult in a tighter lower bound on the single photon transmit- 
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FIG. 3: Single photon transmittance , error rate fe]*", and secret bit 
rate dependence on data acquisition time at 100 km. The dashed line 
indicates the actual data acquisition time of 828 s at which secret bits 
were generated; the other points on the graph are estimates based on 
the data. 



tance and a tighter upper bound on the single photon sifted bit 
error rate, leading to a higher secret bit rate. For this simu- 
lation, we have not adjusted the mean photon numbers used 
when the data acquisition time is increased; re-optimization 
of the mean photon numbers for longer times is expected to 
increase the secret bit rate even further. 

By incorporating low-noise transition-edge sensors into a 
one-way QKD system and implementing a three-level decoy 
protocol, we were able to generate key secure against PNS at- 
tacks and with only very limited susceptibility to Trojan horse 
attacks over 107 km of optical fiber. This distance far sur- 
passes the previous maximum PNS-secure transmission dis- 
tance of 67.5 km that used very weak mean photon numbers 
rather than the decoy state protocol in essentially the same 
system ||^. In contrast to other work, this demonstration was 
the first to implement a finite-statistics protocol to bound the 
channel transmittances without resorting to Gaussian approxi- 
mations. We used a conservative method to estimate the error 
rate on single photon signals, but future work may incorpo- 
rate tighter bounds on the single photon error rate, resulting in 
higher secret bit rates and longer ranges. System clock rates 
as much as five times higher are expected to be achieved with 
improvements in the detector readout electronics, leading to 
higher secret bit rates. Based on the results of simulations, we 
expect that this system is capable of PNS-secure decoy-state 
QKD over 150-200 km of optical fiber, and improvements in 



filtering of the ambient blackbody photons could increase this 
distance even further to 250 km or more. 

Note added: Recently, we became aware of similar work 
performed elsewhere [27]. 
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